<p>This rule is deprecated, and will eventually be removed.</p>
<p><a href="https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency">Certificate Transparency</a> (CT) is an open-framework to
protect against identity theft when certificates are issued. <a href="https://en.wikipedia.org/wiki/Certificate_authority">Certificate Authorities</a>
(CA) electronically sign certificate after verifying the identify of the certificate owner. Attackers use, among other things, social engineering
attacks to trick a CA to correctly verifying a spoofed identity/forged certificate.</p>
<p>CAs implement Certificate Transparency framework to publicly log the records of newly issued certificates, allowing the public and in particular
the identity owner to monitor these logs to verify that his identify was not usurped.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The website identity is valuable and well-known, therefore prone to theft. </li>
</ul>
<p>There is a risk if you answered yes to this question.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>Implement <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT">Expect-CT</a> HTTP header which instructs the web browser
to check <a href="https://www.certificate-transparency.org/known-logs">public CT logs</a> in order to verify if the website appears inside and if it
is not, the browser will block the request and display a warning to the user.</p>
<h2>Sensitive Code Example</h2>
<p>In Express.js application the code is sensitive if the <a href="https://www.npmjs.com/package/expect-ct">expect-ct</a> middleware is disabled:</p>
<pre>
const express = require('express');
const helmet = require('helmet');

let app = express();

app.use(
    helmet({
      expectCt: false // Sensitive
    })
);
</pre>
<h2>Compliant Solution</h2>
<p>In Express.js application the <a href="https://www.npmjs.com/package/expect-ct">expect-ct</a> middleware is the standard way to implement
expect-ct. Usually, the deployment of this policy starts with the report only mode (<code>enforce: false</code>) and with a low <code>maxAge</code>
(the number of seconds the policy will apply) value and next if everything works well it is recommended to block future connections that violate
Expect-CT policy (<code>enforce: true</code>) and greater value for maxAge directive:</p>
<pre>
const express = require('express');
const helmet = require('helmet');

let app = express();

app.use(helmet.expectCt({
  enforce: true,
  maxAge: 86400
})); // Compliant
</pre>
<h2>See</h2>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
  Exposure</a> </li>
  <li> <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency">developer.mozilla.org</a> - Certificate Transparency
  </li>
  <li> <a href="https://en.wikipedia.org/wiki/Certificate_authority">wikipedia.org</a> - Certificate Authority </li>
</ul>
